2024-05-07, Version 20.13.0 'Iron' (LTS), @marco-ippolito

2024-05-07, Version 20.13.0 'Iron' (LTS), @marco-ippolito

buffer: improve base64 and base64url performance

The performance of the base64 and base64url encoding and decoding functions has been improved significantly.

Contributed by Yagiz Nizipli in #52428

crypto: deprecate implicitly shortened GCM tags

This release, introduces a doc-only deprecation of using GCM authentication tags that are shorter than the cipher's block size, unless the user specified the authTagLength option.

Contributed by Tobias Nießen in #52345

events,doc: mark CustomEvent as stable

From this release CustomEvent has been marked stable.

Contributed by Daeyeon Jeong in #52618

fs: add stacktrace to fs/promises

Sync functions in fs throwed an error with a stacktrace which is helpful for debugging. But functions in fs/promises throwed an error without a stacktrace. This commit adds stacktraces by calling Error.captureStacktrace and re-throwing the error.

Contributed by 翠 / green in #49849

report: add --report-exclude-network option

New option --report-exclude-network, also available as report.excludeNetwork, enables the user to exclude networking interfaces in their diagnostic report. On some systems, this can cause the report to take minutes to generate so this option can be used to optimize that.

Contributed by Ethan Arrowood in #51645

src: add uv_get_available_memory to report and process

From this release it is possible to get the available memory in the system by calling process.getAvailableMemory().

Contributed by theanarkh #52023

stream: support typed arrays

This commit adds support for typed arrays in streams.

Contributed by IlyasShabi #51866

util: support array of formats in util.styleText

It is now possible to pass an array of format strings to util.styleText to apply multiple formats to the same text.

console.log(util.styleText(['underline', 'italic'], 'My italic underlined message'));

Contributed by Marco Ippolito in #52040

v8: implement v8.queryObjects() for memory leak regression testing

This is similar to the queryObjects() console API provided by the Chromium DevTools console. It can be used to search for objects that have the matching constructor on its prototype chain in the heap after a full garbage collection, which can be useful for memory leak regression tests.
To avoid surprising results, users should avoid using this API on constructors whose implementation they don't control, or on constructors that can be invoked by other parties in the application.

To avoid accidental leaks, this API does not return raw references to the objects found. By default, it returns the count of the objects found. If options.format is 'summary', it returns an array containing brief string representations for each object. The visibility provided in this API is similar to what the heap snapshot provides, while users can save the cost of serialization and parsing and directly filer the target objects during the search.

We have been using this API internally for the test suite, which has been more stable than any other leak regression testing strategies in the CI. With a public implementation we can now use the public API instead.

const { queryObjects } = require('node:v8');
class A { foo = 'bar'; }
console.log(queryObjects(A)); // 0
let a = new A();
console.log(queryObjects(A)); // 1
// [ "A { foo: 'bar' }" ]
console.log(queryObjects(A, { format: 'summary' }));

// Release the object.
a = null;
// Search again. queryObjects() includes a full garbage collection
// so a should disappear.
console.log(queryObjects(A)); // 0

class B extends A { bar = 'qux'; }
// The child class B's prototype has A's prototype on its prototype chain
// so the prototype object shows up too.
console.log(queryObjects(A, { format: 'summary' })); // [ A {}' ]

Contributed by Joyee Cheung in #51927

watch: mark as stable

From this release Watch Mode is considered stable.
When in watch mode, changes in the watched files cause the Node.js process to restart.

Contributed by Moshe Atlow in #52074

Other Notable Changes

• [f8ad30048d] - benchmark: add AbortSignal.abort benchmarks (Raz Luvaton) #52408
• [3b41da9a56] - (SEMVER-MINOR) deps: update simdutf to 5.0.0 (Daniel Lemire) #52138
• [0a08c4a7b3] - (SEMVER-MINOR) deps: update undici to 6.3.0 (Node.js GitHub Bot) #51462
• [f1b7bda4f5] - (SEMVER-MINOR) deps: update undici to 6.2.1 (Node.js GitHub Bot) #51278
• [4acca8ed84] - (SEMVER-MINOR) dns: add order option and support ipv6first (Paolo Insogna) #52492
• [cc67720ff9] - doc: update release gpg keyserver (marco-ippolito) #52257
• [c2def7df96] - doc: add release key for marco-ippolito (marco-ippolito) #52257
• [807c89cb26] - doc: add UlisesGascon as a collaborator (Ulises Gascón) #51991
• [5e78a20ef9] - (SEMVER-MINOR) doc: deprecate fs.Stats public constructor (Marco Ippolito) #51879
• [722fe64ff7] - (SEMVER-MINOR) lib, url: add a windows option to path parsing (Aviv Keller) #52509
• [d116fa1568] - (SEMVER-MINOR) net: add CLI option for autoSelectFamilyAttemptTimeout (Paolo Insogna) #52474
• [6af7b78b0d] - (SEMVER-MINOR) src: add string_view overload to snapshot FromBlob (Anna Henningsen) #52595
• [b3a11b574b] - (SEMVER-MINOR) src: preload function for Environment (Cheng Zhao) #51539
• [41646d9c9e] - (SEMVER-MINOR) test_runner: add suite() (Colin Ihrig) #52127
• [fc9ba17f6c] - (SEMVER-MINOR) test_runner: add test:complete event to reflect execution order (Moshe Atlow) #51909

Commits

• [6fdd748b21] - benchmark: reduce the buffer size for blob (Debadree Chatterjee) #52548
• [2274d0c868] - benchmark: inherit stdio/stderr instead of pipe (Ali Hassan) #52456
• [0300598315] - benchmark: add ipc support to spawn stdio config (Ali Hassan) #52456
• [f8ad30048d] - benchmark: add AbortSignal.abort benchmarks (Raz Luvaton) #52408
• [7508d48736] - benchmark: conditionally use spawn with taskset for cpu pinning (Ali Hassan) #52253
• [ea8e72e185] - benchmark: add toNamespacedPath bench (Rafael Gonzaga) #52236
• [c00715cc1e] - benchmark: add style-text benchmark (Rafael Gonzaga) #52004
• [1c1a6935ee] - buffer: add missing ARG_TYPE(ArrayBuffer) for isUtf8 (Jungku Lee) #52477
• [1b2aff7dce] - buffer: improve base64 and base64url performance (Yagiz Nizipli) #52428
• [328bded5ab] - buffer: improve btoa performance (Yagiz Nizipli) #52427
• [e67bc34326] - buffer: use simdutf for atob implementation (Yagiz Nizipli) #52381
• [5abddb45d8] - build: fix typo in node.gyp (Michaël Zasso) #52719
  ...

2024-05-02, Version 22.1.0 (Current), @targos prepared by @aduh95

module: implement NODE_COMPILE_CACHE for automatic on-disk code caching

This patch implements automatic on-disk code caching that can be enabled
via an environment variable NODE_COMPILE_CACHE=/path/to/cache/dir.

When set, whenever Node.js compiles a CommonJS or a ECMAScript Module,
it will use on-disk V8 code cache
persisted in the specified directory
to speed up the compilation. This may slow down the first load of a
module graph, but subsequent loads of the same module graph may get
a significant speedup if the contents of the modules do not change.
Locally, this speeds up loading of test/fixtures/snapshot/typescript.js
from ~130ms to ~80ms.

To clean up the generated code cache, simply remove the directory.
It will be recreated the next time the same directory is used for
NODE_COMPILE_CACHE.

Compilation cache generated by one version of Node.js may not be used
by a different version of Node.js. Cache generated by different versions
of Node.js will be stored separately if the same directory is used
to persist the cache, so they can co-exist.

Caveat: currently when using this with V8 JavaScript code coverage, the
coverage being collected by V8 may be less precise in functions that are
deserialized from the code cache. It's recommended to turn this off when
running tests to generate precise coverage.

Contributed by Joyee Cheung in #52535.

Other Notable Changes

• [44ee04cf9f] - buffer: improve base64 and base64url performance (Yagiz Nizipli) #52428
• [3c37ce5710] - (SEMVER-MINOR) dns: add order option and support ipv6first (Paolo Insogna) #52492
• [3026401be1] - events,doc: mark CustomEvent as stable (Daeyeon Jeong) #52618
• [64428dc1c9] - (SEMVER-MINOR) lib, url: add a windows option to path parsing (Aviv Keller) #52509
• [d79ae74f71] - (SEMVER-MINOR) net: add CLI option for autoSelectFamilyAttemptTimeout (Paolo Insogna) #52474
• [43fa6a1a45] - (SEMVER-MINOR) src: add string_view overload to snapshot FromBlob (Anna Henningsen) #52595
• [c6fe433d42] - src,permission: throw async errors on async APIs (Rafael Gonzaga) #52730
• [e247a61d15] - (SEMVER-MINOR) test_runner: add --test-skip-pattern cli option (Aviv Keller) #52529
• [9b18df9dcb] - (SEMVER-MINOR) url: implement parse method for safer URL parsing (Ali Hassan) #52280

Commits

• [35643c18c0] - benchmark: reduce the buffer size for blob (Debadree Chatterjee) #52548
• [7cdfe8a3fc] - benchmark: inherit stdio/stderr instead of pipe (Ali Hassan) #52456
• [7b82c17f22] - benchmark: add ipc support to spawn stdio config (Ali Hassan) #52456
• [dfda6fed61] - buffer: add missing ARG_TYPE(ArrayBuffer) for isUtf8 (Jungku Lee) #52477
• [44ee04cf9f] - buffer: improve base64 and base64url performance (Yagiz Nizipli) #52428
• [c64a1a3b89] - build: fix typo in node.gyp (Michaël Zasso) #52719
• [4f713fbc2e] - build: fix headers install for shared mode on Win (Segev Finer) #52442
• [4baeb7b21d] - build: fix arm64 cross-compilation bug on non-arm machines (Mahdi Sharifi) #52559
• [d5cd468ce8] - build,tools,node-api: fix building node-api tests for Windows Debug (Vladimir Morozov) #52632
• [910533fcfd] - crypto: simplify assertions in Safe*Print (David Benjamin) #49709
• [61e1ac0b8c] - crypto: enable NODE_EXTRA_CA_CERTS with BoringSSL (Shelley Vohr) #52217
• [6e98eee256] - deps: upgrade npm to 10.7.0 (npm team) #52767
• [27a5f9418c] - deps: V8: cherry-pick 500de8bd371b (Richard Lau) #52676
• [3b422ddcea] - deps: update corepack to 0.28.0 (Node.js GitHub Bot) #52616
• [d40e4d4c42] - deps: update ada to 2.7.8 (Node.js GitHub Bot) #52517
• [5b52a4870a] - deps: update icu to 75.1 (Node.js GitHub Bot) #52573
• [80cbe72c1f] - deps: update undici to 6.13.0 (Node.js GitHub Bot) #52493
• [9a44059055] - deps: update zlib to 1.3.0.1-motley-7d77fb7 (Node.js GitHub Bot) #52516
• [d67a9a5360] - deps: update minimatch to 9.0.4 (Node.js GitHub Bot) #52524
• [8738b89971] - deps: upgrade npm to 10.5.2 (npm team) #52458
• [8e4fd2842b] - deps,src: simplify base64 encoding (Daniel Lemire) #52714
• [3c37ce5710] - (SEMVER-MINOR) dns: add order option and support ipv6first (Paolo Insogna) #52492
• [3987a28a9e] - doc: update process.versions properties (ishabi) #52736
• [c0b58e07f1] - doc: remove mold use on mac for speeding up build (Cong Zhang) #52252
• [9a032cf6e2] - doc: remove relative limitation to pm (Rafael Gonzaga) #52648
• [90c6e77238] - doc: fix info string causing duplicated code blocks (Mathieu Leenhardt) #52660
• [4d577fa048] - doc: add .gitattributes for md files (Hüseyin Açacak) #52161
• [04c8e110e5] - doc: run license-builder (github-actions[bot]) #52631
• [3552829594] - doc: add info on contributor spotlight program (Michael Dawson) #52598
• [eeb80ad836] - doc: correct unsafe URL example in http docs (Malte Legenhausen) #52555
• [c83526a688] - doc: replace U+00A0 with U+0020 (Luigi Pinca) #52590
• [31831e9db8] - doc: sort options alphabetically (Luigi Pinca) #52589
• [a93f5d4aaa] - doc: correct stream.finished changes (KaKa) #52551
• [27ffa35540] - doc: add RedYetiDev to triage team (Aviv Keller) #52556
• [63cc2b870e] - doc: fix issue detected in markdown lint update (Rich Trott) #52566
• [7e93c4892b...

2024-04-24, Version 22.0.0 (Current), @RafaelGSS and @marco-ippolito

We're excited to announce the release of Node.js 22!
Highlights include require()ing ESM graphs, WebSocket client, updates of the V8 JavaScript engine, and more!
As a reminder, Node.js 22 will enter long-term support (LTS) in October, but until then, it will be the "Current" release for the next six months.
We encourage you to explore the new features and benefits offered by this latest release and evaluate their potential impact on your applications.

Other Notable Changes

• [25c79f3331] - esm: drop support for import assertions (Nicolò Ribaudo) #52104
• [818c10e86d] - lib: improve perf of AbortSignal creation (Raz Luvaton) #52408
• [4f68c7c1c9] - watch: mark as stable (Moshe Atlow) #52074
• [02b0bc01fe] - (SEMVER-MAJOR) deps: update V8 to 12.4.254.14 (Michaël Zasso) #52465
• [c975384264] - (SEMVER-MAJOR) lib: enable WebSocket by default (Aras Abbasi) #51594
• [1abff07392] - (SEMVER-MAJOR) stream: bump default highWaterMark (Robert Nagy) #52037
• [1a5acd0638] - (SEMVER-MAJOR) v8: enable maglev on supported architectures (Keyhan Vakil) #51360
• [128c60d906] - (SEMVER-MINOR) cli: implement node --run <script-in-package-json> (Yagiz Nizipli) #52190
• [151d365ad1] - (SEMVER-MINOR) fs: expose glob and globSync (Moshe Atlow) #51912
• [5f7fad2605] - (SEMVER-MINOR) module: support require()ing synchronous ESM graphs (Joyee Cheung) #51977

Semver-Major Commits

• [2b1e7c2fcb] - (SEMVER-MAJOR) build: compile with C++20 support on Windows (StefanStojanovic) #52465
• [12d00f1479] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #52465
• [5f08e11a3c] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #52293
• [94f0369d1d] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #51362
• [58674cd1d8] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #50115
• [60e836427e] - (SEMVER-MAJOR) console: treat non-strings as separate argument in console.assert() (Jacob Hummer) #49722
• [d62ab3a1ef] - (SEMVER-MAJOR) crypto: runtime deprecate hmac constructor (Marco Ippolito) #52071
• [de0602d190] - (SEMVER-MAJOR) crypto: runtime deprecate Hash constructor (Marco Ippolito) #51880
• [215f4d04b7] - (SEMVER-MAJOR) crypto: move createCipher and createDecipher to eol (Marco Ippolito) #50973
• [30801b8aaf] - (SEMVER-MAJOR) deps: V8: cherry-pick cd10ad7cdbe5 (Joyee Cheung) #52465
• [521b629ab1] - (SEMVER-MAJOR) deps: V8: revert CL 5331688 (Michaël Zasso) #52465
• [3795e97e6c] - (SEMVER-MAJOR) deps: patch V8 to support compilation with MSVC (StefanStojanovic) #52465
• [5bde9e677d] - (SEMVER-MAJOR) deps: silence internal V8 deprecation warning (Michaël Zasso) #52465
• [46e628c6f2] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #52465
• [f824e40a82] - (SEMVER-MAJOR) deps: remove usage of a C++20 feature from V8 (Michaël Zasso) #52465
• [d2c84c9a13] - (SEMVER-MAJOR) deps: avoid compilation error with ASan (Michaël Zasso) #52465
• [95d6045bdb] - (SEMVER-MAJOR) deps: disable V8 concurrent sparkplug compilation (Michaël Zasso) #52465
• [00f55f5743] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) #52465
• [764085aa66] - (SEMVER-MAJOR) deps: always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #52465
• [02b0bc01fe] - (SEMVER-MAJOR) deps: update V8 to 12.4.254.14 (Michaël Zasso) #52465
• [0ec50a19dd] - (SEMVER-MAJOR) deps: V8: cherry-pick cd10ad7cdbe5 (Joyee Cheung) #52293
• [021b0b7dee] - (SEMVER-MAJOR) deps: V8: backport c4be0a97f981 (Richard Lau) #52293
• [681aaf85c7] - (SEMVER-MAJOR) deps: silence internal V8 deprecation warning (Michaël Zasso) #52293
• [c563a1c4e4] - (SEMVER-MAJOR) deps: patch V8 to support compilation with MSVC (Stefan Stojanovic) #52293
• [11e94b9987] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #52293
• [856163e23c] - (SEMVER-MAJOR) deps: remove usage of a C++20 feature from V8 (Michaël Zasso) #52293
• [b530214127] - (SEMVER-MAJOR) deps: avoid compilation error with ASan (Michaël Zasso) #52293
• [8054f69dd9] - (SEMVER-MAJOR) deps: disable V8 concurrent sparkplug compilation (Michaël Zasso) #52293
• [dee908be42] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) #52293
• [cf069414ee] - (SEMVER-MAJOR) deps: always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #52293
• [cc5792dd85] - (SEMVER-MAJOR) deps: update V8 to 12.3.219.16 (Michaël Zasso) #52293
• [61a0d3b4c4] - (SEMVER-MAJOR) deps: V8: backport c4be0a97f981 (Richard Lau) #51362
• [f55380a725] - (SEMVER-MAJOR) deps: V8: cherry-pick f8d5e576b814 (Richard Lau) #51362
• [b9d806a2dd] - (SEMVER-MAJOR) deps: patch V8 to support compilation with MSVC (StefanStojanovic) #51362
• [63b58bc17b] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #51362
• [86056353c4] - (SEMVER-MAJOR) deps: remove usage of a C++20 feature from V8 (Michaël Zasso) #51362
• [[2e0efc1c8d](2e0efc1c8...

2024-04-10, Version 21.7.3 (Current), @RafaelGSS

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [9095c914ed] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#562

2024-04-10, Version 20.12.2 'Iron' (LTS), @RafaelGSS

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [69ffc6d50d] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#563

2024-04-10, Version 18.20.2 'Hydrogen' (LTS), @RafaelGSS

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [6627222409] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564

2024-04-03, Version 21.7.2 (Current), @RafaelGSS prepared by @marco-ippolito

This is a security release.

Notable changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation- (Medium)
• llhttp version 9.2.1
• undici version 6.11.1

Commits

• [3dfc10c851] - deps: update undici to 6.11.1 (Node.js GitHub Bot) #52328
• [aceea1c5e7] - deps: update undici to 6.10.2 (Node.js GitHub Bot) #52227
• [5f0f96b275] - deps: update llhttp to 9.2.0 (Node.js GitHub Bot) #51719
• [1a65e98e22] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#556
• [3bd39fb474] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS

This is a security release

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

Commits

• [bd8f10a257] - deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#576
• [5e34540a96] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#557
• [ba1ae6d188] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-04-03, Version 18.20.1 'Hydrogen' (LTS), @RafaelGSS

This is a security release.

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

Commits

• [60d24938de] - deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#577
• [5d4d5848cf] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#558
• [0fb816dbcc] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-03-26, Version 20.12.0 'Iron' (LTS), @richardlau

Notable Changes

crypto: implement crypto.hash()

This patch introduces a helper crypto.hash() that computes
a digest from the input at one shot. This can be 1.2-2x faster
than the object-based createHash() for smaller inputs (<= 5MB)
that are readily available (not streamed) and incur less memory
overhead since no intermediate objects will be created.

const crypto = require('node:crypto');

// Hashing a string and return the result as a hex-encoded string.
const string = 'Node.js';
// 10b3493287f831e81a438811a1ffba01f8cec4b7
console.log(crypto.hash('sha1', string));

Contributed by Joyee Cheung in #51044.

Loading and parsing environment variables

• process.loadEnvFile(path):

  • Use this function to load the .env file. If no path is specified, it automatically loads the .env file in the current directory. Example: process.loadEnvFile().
  • Load a specific .env file by specifying its path. Example: process.loadEnvFile('./development.env').

• util.parseEnv(content):

  • Use this function to parse an existing string containing environment variable assignments.
  • Example usage: require('node:util').parseEnv('HELLO=world').

Contributed by Yagiz Nizipli in #51476.

New connection attempt events

Three new events were added in the net.createConnection flow:

• connectionAttempt: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptFailed: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptTimeout: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.

Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user.
This led to a failed assertion.

Contributed by Paolo Insogna in #51045.

Permission Model changes

Node.js 20.12.0 comes with several fixes for the experimental permission model and two new semver-minor commits.
We're adding a new flag --allow-addons to enable addon usage when using the Permission Model.

$ node --experimental-permission --allow-addons

Contributed by Rafael Gonzaga in #51183

And relative paths are now supported through the --allow-fs-* flags.
Therefore, with this release one can use:

$ node --experimental-permission --allow-fs-read=./index.js

To give only read access to the entrypoint of the application.

Contributed by Rafael Gonzaga and Carlos Espa in #50758.

sea: support embedding assets

Users can now include assets by adding a key-path dictionary
to the configuration as the assets field. At build time, Node.js
would read the assets from the specified paths and bundle them into
the preparation blob. In the generated executable, users can retrieve
the assets using the sea.getAsset() and sea.getAssetAsBlob() API.

{
  "main": "/path/to/bundled/script.js",
  "output": "/path/to/write/the/generated/blob.blob",
  "assets": {
    "a.jpg": "/path/to/a.jpg",
    "b.txt": "/path/to/b.txt"
  }
}

The single-executable application can access the assets as follows:

const { getAsset } = require('node:sea');
// Returns a copy of the data in an ArrayBuffer
const image = getAsset('a.jpg');
// Returns a string decoded from the asset as UTF8.
const text = getAsset('b.txt', 'utf8');
// Returns a Blob containing the asset without copying.
const blob = getAssetAsBlob('a.jpg');

Contributed by Joyee Cheung in #50960.

Support configurable snapshot through --build-snapshot-config flag

We are adding a new flag --build-snapshot-config to configure snapshots through a custom JSON configuration file.

$ node --build-snapshot-config=/path/to/myconfig.json

When using this flag, additional script files provided on the command line will
not be executed and instead be interpreted as regular command line arguments.

These changes were contributed by Joyee Cheung and Anna Henningsen in #50453

Text Styling

• util.styleText(format, text): This function returns a formatted text considering the format passed.

A new API has been created to format text based on util.inspect.colors, enabling you to style text in different colors (such as red, blue, ...) and emphasis (italic, bold, ...).

const { styleText } = require('node:util');
const errorMessage = styleText('red', 'Error! Error!');
console.log(errorMessage);

Contributed by Rafael Gonzaga in #51850.

vm: support using the default loader to handle dynamic import()

This patch adds support for using vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER as the
importModuleDynamically option in all vm APIs that take this option except vm.SourceTextModule. This allows users to have a shortcut to support dynamic import() in the compiled code without missing the compilation cache if they don't need customization of the loading process. We emit an experimental warning when the import() is actually handled by the default loader through this option instead of requiring --experimental-vm-modules.

const { Script, constants } = require('node:vm');
const { resolve } = require('node:path');
const { writeFileSync } = require('node:fs');

// Write test.js and test.txt to the directory where the current script
// being run is located.
writeFileSync(resolve(__dirname, 'test.mjs'),
              'export const filename = "./test.json";');
writeFileSync(resolve(__dirname, 'test.json'),
              '{"hello": "world"}');

// Compile a script that loads test.mjs and then test.json
// as if the script is placed in the same directory.
const script = new Script(
  `(async function() {
    const { filename } = await import('./test.mjs');
    return import(filename, { with: { type: 'json' } })
  })();`,
  {
    filename: resolve(__dirname, 'test-with-default.js'),
    importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER,
  });

// { default: { hello: 'world' } }
script.runInThisContext().then(console.log);

Contributed by Joyee Cheung in #51244.

Root certificates updated to NSS 3.98

Certificates added:

• Telekom Security TLS ECC Root 2020
• Telekom Security TLS RSA Root 2023

Certificates removed:

• Security Communication Root CA

Updated dependencies

• acorn updated to 8.11.3.
• ada updated to 2.7.6.
• base64 updated to 0.5.2.
• brotli updated to 1.1.0.
• c-ares updated to 1.27.0.
• corepack updated to 0.25.2.
• ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
• nghttp2 updated to 1.60.0.
• npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
• simdutf8 updated to 4.0.8.
• Timezone updated to 2024a.
• zlib updated to 1.3.0.1-motley-40e35a7.

Other notable changes

• [4f49e9d000] - (SEMVER-MINOR) build: build opt to set local location of headers (Michael Dawson) #51525
• [ccdb01187b] - doc: add zcbenz to collaborators (Cheng Zhao) #51812
• [481af53aea] - doc: add lemire to collaborators (Daniel Lemire) #51572
• [5ba4d96525] - (SEMVER-MINOR) http2: add h2 compat support for appendHeader (Tim Perry) #51412
• [0861498e8b] - (SEMVER-MINOR) http2: add server handshake utility (snek) #51172
• [6b08d006ee] - (SEMVER-MINOR) http2: receive customsettings (Marten Richter) #51323
• [7894989bf0] - (SEMVER-MINOR) lib: move encodingsMap to internal/util (Joyee Cheung) #51044
• [a58c98ea85] - (SEMVER-MINOR) src: print string content better in BlobDeserializer (Joyee Cheung) #50960
• [c3c0a3ee5c] - (SEMVER-MINOR) src: support multi-line values for .env file (IlyasShabi) #51289
• [2a921966c6] - (SEMVER-MINOR) src: do not coerce dotenv paths (Tobias Nießen) #51425
• [0dee86f295] - (SEMVER-MINOR) src: support configurable snapshot (Joyee Cheung) #50453
• [ade6614067] - (SEMVER-MINOR) stream: add support for deflate-raw format to webstreams compression (Damian Krzeminski) #50097
• [[`...